Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-12431
Publication date:
14/06/2018
SeaCMS V6.61 has XSS via the site name parameter on an adm1n/admin_config.php page (aka a system management page).
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2018

CVE-2018-12432
Publication date:
14/06/2018
JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2018

CVE-2018-12420
Publication date:
14/06/2018
IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2018

CVE-2018-12423
Publication date:
14/06/2018
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-6516
Publication date:
14/06/2018
On Windows only, with a specifically crafted configuration file an attacker could get Puppet PE client tools (aka pe-client-tools) 16.4.x prior to 16.4.6, 17.3.x prior to 17.3.6, and 18.1.x prior to 18.1.2 to load arbitrary code with privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-11690
Publication date:
14/06/2018
The Balbooa Gridbox extension version 2.4.0 and previous versions for Joomla! is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2019

CVE-2017-12070
Publication date:
14/06/2018
Unsigned versions of the DLLs distributed by the OPC Foundation may be replaced with malicious code.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2018

CVE-2018-11689
Publication date:
14/06/2018
Web Viewer for Hanwha DVR 2.17 and Smart Viewer in Samsung Web Viewer for Samsung DVR are vulnerable to XSS via the /cgi-bin/webviewer_login_page data3 parameter. (The same Web Viewer codebase was transitioned from Samsung to Hanwha.)
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2022

CVE-2018-8819
Publication date:
14/06/2018
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2021

CVE-2018-11574
Publication date:
14/06/2018
Improper input validation together with an integer overflow in the EAP-TLS protocol implementation in PPPD may cause a crash, information disclosure, or authentication bypass. This implementation is distributed as a patch for PPPD 0.91, and includes the affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option are unaffected.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2025

CVE-2018-12421
Publication date:
14/06/2018
LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2018

CVE-2018-12114
Publication date:
14/06/2018
Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2018
Subscribe to Vulnerabilities